A security researcher says that the end is near for a cryptographic routine commonly used to protect the integrity of secure Web transactions, stored passwords, and hundreds of other purposes. By 2018, writes Intel's Jesse Walker on a mailing list devoted to this form of cryptographic protection, a criminal organization could easily afford the cost of, in essence, forging the signature on critical security documents using commodity computing hardware. By 2021, he says, an academic group could afford to own or rent the necessary processing time. The good news is that there's ample time for the thousands of bits of software and millions of organizations to move to a better process.
The algorithm in question is SHA-1, where SHA stands for Secure Hash Algorithm, the second in a series of such routines published by the National Institute for Standards and Technology. A hash has a critical purpose for digital certificates, which validate Web servers and other secure services, and for protecting passwords.
A hash results from taking a set of input text, which can be as short as a password, and running through an enormous number of mathematical operations. The short sequence of digits that makes up a hash has no seeming relationship to the starting text, although feed the same text in and the hash is always the same. Vary the text slightly, changing just a single bit anywhere in it (such as the letter "B" becoming the letter "C"), and the hash is dramatically and unpredictably different.
To read more, click here.